Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY

  • 367 views
Uploaded on

Bimbingan Teknis ACEH tentang Wardriving dan Wireless Security

Bimbingan Teknis ACEH tentang Wardriving dan Wireless Security

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
367
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DIREKTORAT  KEAMANAN  INFORMASI   BIMTEK  “KEAMANAN  INFORMASI  DAN  PENANGANAN    JARINGAN  INFORMASI”   HARI  2  :  WARDRIVING  and    WIRELESS  SECURITY   THE  PADE  -­‐  NAD,  14  NOVEMBER    2013  
  • 2. WARDRIVING  and  WIRELESS  SECURITY   Indonesia  Academic  CSIRT     Computer  Security  Incident  Response  Team IGN  Mantra,   Email:  mantra@acad-­‐csirt.or.id,     URL:  acad-­‐csirt.or.id  
  • 3. ObjecIves   •  Explain  wireless  technology   •  Describe  wireless  networking  standards   •  Describe  the  process  of  authenIcaIon   •  Describe  wardriving   •  Describe  wireless  hacking  and  tools  used  by   hackers  and  security  professionals   3
  • 4. Understanding  Wireless   Technology   •  For  a  wireless  network  to  funcIon,  you  must  have   the  right  hardware  and  soRware   •  Wireless  technology  is  part  of  our  lives   –  Baby  monitors   –  Cell  and  cordless  phones   –  Pagers   –  GPS   –  Remote  controls   –  Garage  door  openers   –  Two-­‐way  radios   –  Wireless  PDAs   4
  • 5. Components  of  a  Wireless   Network   •  A  wireless  network  has  only  three  basic   components   – Access  Point  (AP)   – Wireless  network  interface  card  (WNIC)   – Ethernet  cable   5
  • 6. Access  Points   •  An  access  point  (AP)  is  a  transceiver  that   connects  to  an  Ethernet  cable   – It  bridges  the  wireless  network  with  the  wired   network   •  Not  all  wireless  networks  connect  to  a  wired  network   – Most  companies  have  Wireless  LANs  (WLANs)   that  connect  to  their  wired  network  topology   6
  • 7. Access  Points   •  The  AP  is  where  channels  are  configured   •  An  AP  enables  users  to  connect  to  a  LAN  using   wireless  technology   – An  AP  is  available  only  within  a  defined  area   7
  • 8. Service  Set  IdenIfiers  (SSIDs)   •  Name  used  to  idenIfy  the  wireless  local  area   network  (WLAN)   •  The  SSID  is  configured  on  the  AP   – Unique  1-­‐  to  32-­‐character  alphanumeric  name   – Name  is  case  sensiIve   •  Wireless  computers  need  to  configure  the   SSID  before  connecIng  to  a  wireless  network   8
  • 9. Service  Set  IdenIfiers  (SSIDs)   •  SSID  is  transmied  with  each  packet   – IdenIfies  which  network  the  packet  belongs   •  The  AP  usually  broadcasts  the  SSID   9
  • 10. Service  Set  IdenIfiers  (SSIDs)   •  Many  vendors  have  SSIDs  set  to  a  default  value   that  companies  never  change   •  An  AP  can  be  configured  to  not  broadcast  its   SSID  unIl  aRer  authenIcaIon   – Wireless  hackers  can  aempt  to  guess  the  SSID   •  Verify  that  your  clients  or  customers  are  not   using  a  default  SSID   10
  • 11. 11
  • 12. Configuring  an  Access  Point   •  Configuring  an  AP  varies  depending  on  the   hardware   – Most  devices  allow  access  through  any  Web   browser   – Enter  IP  address  on  your  Web  browser  and   provide  your  user  logon  name  and  password   12
  • 13. Wireless  Router   •  A  wireless  router  includes  an  access  point,  a   router,  and  a  switch   13
  • 14. Demo:  Configuring  an  Access  Point   •  Wireless  ConfiguraIon   OpIons   – SSID   – Wired  Equivalent  Privacy   (WEP)  encrypIon   – Changing  Admin   Password   14
  • 15. Configuring  an  Access  Point   •  Wireless  ConfiguraIon  OpIons   – SSID   – Wired  Equivalent  Privacy  (WEP)  encrypIon   – WPA  (WiFi  Protected  Access  )  is  beer   15
  • 16. Configuring  an  Access  Point   (conInued)   •  Steps  for  configuring  a  D-­‐Link  wireless  router   (conInued)   – Turn  off  SSID  broadcast   – You  should  also  change  your  SSID   16
  • 17. 17
  • 18. Wireless  NICs   •  For  wireless  technology  to  work,  each  node  or   computer  must  have  a  wireless  NIC   •  NIC’s  main  funcIon   – ConverIng  the  radio  waves  it  receives  into  digital   signals  the  computer  understands   18
  • 19. Wireless  NICs   •  There  are  many  wireless  NICs  on  the  market   – Choose  yours  depending  on  how  you  plan  to  use  it   – Some  tools  require  certain  specific  brands  of  NICs   19
  • 20. Understanding  Wireless  Network   Standards   •  A  standard  is  a  set  of  rules  formulated  by  an   organizaIon   •  InsItute  of  Electrical  and  Electronics  Engineers   (IEEE)   – Defines  several  standards  for  wireless  networks   20
  • 21. IEEE  Standards   •  Standards  pass  through  these  groups:   – Working  group  (WG)   – Sponsor  ExecuIve  Commiee  (SEC)   – Standards  Review  Commiee  (RevCom)   – IEEE  Standards  Board   •  IEEE  Project  802   – LAN  and  WAN  standards   21
  • 22. The  802.11  Standard   •  The  first  wireless  technology  standard   •  Defined  wireless  connecIvity  at  1  Mbps  and  2   Mbps  within  a  LAN   •  Applied  to  layers  1  and  2  of  the  OSI  model   •  Wireless  networks  cannot  detect  collisions   – Carrier  sense  mulIple  access/collision  avoidance   (CSMA/CA)  is  used  instead  of  CSMA/CD   22
  • 23. Addressing   •  Wireless  LANs  do  not  have  an  address   associated  with  a  physical  locaIon   – An  addressable  unit  is  called  a  staIon  (STA)   23
  • 24. The  Basic  Architecture  of  802.11   •  802.11  uses  a  basic  service  set  (BSS)  as  its   building  block   – Computers  within  a  BSS  can  communicate  with   each  other   24
  • 25. The  Basic  Architecture  of  802.11   •  To  connect  two   BSSs,  802.11   requires  a   distribuIon   system  (DS)   25
  • 26. Frequency  Range   •  In  the  United  States,  Wi-­‐Fi  uses  frequencies   near  2.4  GHz   •  (Except  802.11a  at  5  GHz)   – There  are  11  channels,  but  they  overlap,  so  only   three  are  commonly  used   •  See  link  Ch  11c  (cisco.com)   26
  • 27. Infrared  (IR)   •  Infrared  light  can’t  be  seen  by  the  human  eye   •  IR  technology  is  restricted  to  a  single  room  or  line  of   sight   •  IR  light  cannot  penetrate  walls,  ceilings,  or  floors   –  Image:  IR  transmier  for  wireless  headphones   27
  • 28. IEEE  AddiIonal  802.11  Projects   •  802.11a   – Created  in  1999   – OperaIng  frequency  5  GHz   – Throughput  54  Mbps   28
  • 29. IEEE  AddiIonal  802.11  Projects   (conInued)   •  802.11b   – Operates  in  the  2.4  GHz  range   – Throughput  11  Mbps   – Also  referred  as  Wi-­‐Fi  (wireless  fidelity)   – Allows  for  11  channels  to  prevent  overlapping   signals   •  EffecIvely  only  three  channels  (1,  6,  and  11)  can  be   used  in  combinaIon  without  overlapping   – Introduced  Wired  Equivalent  Privacy  (WEP)   29
  • 30. IEEE  AddiIonal  802.11  Projects   (conInued)   •  802.11e   – It  has  improvements  to  address  the  problem  of   interference   •  When  interference  is  detected,  signals  can  jump  to   another  frequency  more  quickly   •  802.11g   – Operates  in  the  2.4  GHz  range   – Throughput  increased  from  11  Mbps  to  54  Mbps   30
  • 31. IEEE  AddiIonal  802.11  Projects   (conInued)   •  802.11i   – Introduced  Wi-­‐Fi  Protected  Access  (WPA)   – Corrected  many  of  the  security  vulnerabiliIes  of   802.11b   •  802.11n  (draR)   – Finalized  in  Dec  2009   – Speeds  up  to  300  Mbps   – Aerohive  AP  runs  at  264  Mbps  now   31
  • 32. IEEE  AddiIonal  802.11  Projects   (conInued)   •  802.15   – Addresses  networking   devices  within  one   person’s  workspace   •  Called  wireless  personal   area  network  (WPAN)   – Bluetooth  is  one  of  six   802.15  standards   •  Image  from   ubergizmo.com   32
  • 33. IEEE  AddiIonal  802.11  Projects   (conInued)   •  Bluetooth   – Defines  a  method  for  interconnecIng  portable   devices  without  wires   – Maximum  distance  allowed  is  10  meters   – It  uses  the  2.45  GHz  frequency  band   – Throughput  of  up  to  2.1  Mbps  for  Bluetooth  2.0   •  Note:  the  speed  value  of  12  Mbps  in  your  book  and  the   lecture  notes  is  wrong.   33
  • 34. IEEE  AddiIonal  802.11  Projects   (conInued)   •  802.16  (also  called  WIMAX)   – Addresses  the  issue  of  wireless  metropolitan  area   networks  (MANs)   – Defines  the  WirelessMAN  Air  Interface   – Range  of  up  to  30  miles   – Throughput  of  up  to  120  Mbps   •  802.20   – Addresses  wireless  MANs  for  mobile  users  who   are  sijng  in  trains,  subways,  or  cars  traveling  at   speeds  up  to  150  miles  per  hour   34
  • 35. IEEE  AddiIonal  802.11  Projects   (conInued)   •  Bluetooth   – Defines  a  method  for  interconnecIng  portable   devices  without  wires   – Maximum  distance  allowed  is  10  meters   – It  uses  the  2.45  GHz  frequency  band   – Throughput  of  up  to  12  Mbps   •  HiperLAN2   – European  WLAN  standard   – It  is  not  compaIble  with  802.11  standards   35
  • 36. 2.1 Mbps 36
  • 37. Understanding  AuthenIcaIon   •  Wireless  technology  brings  new  security  risks   to  a  network   •  Authen'ca'on   – Establishing  that  a  user  is  authenIc—authorized   to  use  the  network   – If  authenIcaIon  fails,  anyone  in  radio  range  can   use  your  network   37
  • 38. The  802.1X  Standard   •  Defines  the  process  of  authenIcaIng  and   authorizing  users  on  a  WLAN   •  Basic  concepts   – Point-­‐to-­‐Point  Protocol  (PPP)   – Extensible  AuthenIcaIon  Protocol  (EAP)   – Wired  Equivalent  Privacy  (WEP)   – Wi-­‐Fi  Protected  Access  (WPA)   38
  • 39. Point-­‐to-­‐Point  Protocol  (PPP)   •  Many  ISPs  use  PPP  to  connect  dial-­‐up  or  DSL   users   •  PPP  handles  authenIcaIon  with  a  user  name   and  password,  sent  with  PAP  or  CHAP   – PAP  (Password  AuthenIcaIon  Protocol)  sends   passwords  unencrypted   •  Vulnerable  to  trivial  sniffing  aacks   39
  • 40. CHAP  Vulnerability   •  CHAP  (Challenge-­‐Handshake  AuthenIcaIon   Protocol)   – Server  sends  a  Challenge  with  a  random  value   – Client  sends  a  Response,  hashing  the  random   value  with  the  secret  password   •  This  is  sIll  vulnerable  to  a  sort  of  session   hijacking  aack   40
  • 41. Extensible  AuthenIcaIon  Protocol   (EAP)   •  EAP  is  an  enhancement  to  PPP   •  Allows  a  company  to  select  its  authenIcaIon   method   – CerIficates   – Kerberos   •  Kerberos  is  used  on  LANs  for  authenIcaIon   •  Uses  Tickets  and  Keys   •  Used  by  Windows  2000,  XP,  and  2003  Server  by  default   •  Not  common  on  WLANS  (I  think)   41
  • 42. X.509  CerIficate   •  Record  that  authenIcates  network  enIIes   •  IdenIfies   – The  owner   – The  cerIficate  authority  (CA)   – The  owner’s  public  key   42
  • 43. Sample  X.509  CerIficate   •  Go  to  gmail.com   •  Double-­‐click  the  padlock   43
  • 44. Public  Key   •  Your  browser   uses  the  Public   Key  to  encrypt   data  so  only   Gmail  can  read   it   44
  • 45. LEAP   •  Lightweight  Extensible     AuthenIcaIon  Protocol     (LEAP)   – A  Cisco  product   – Vulnerable,  but  Cisco  didn’t  care   – Joshua  Wright  wrote  the  ASLEAP  hacking  tool  to   crack  LEAP,  and  forced  Cisco  to  develop  a  beer   protocol   45
  • 46. More  Secure  EAP  Methods   •  Extensible  AuthenIcaIon  Protocol-­‐Transport   Layer  Security  (EAP-­‐TLS)   – Secure  but  rarely  used,  because  both  client  and   server  need  cerIficates  signed  by  a  CA   •  Protected  EAP  (PEAP)  and  MicrosoR  PEAP   – Very  secure,  only  requires  server  to  have  a   cerIficate  signed  by  a  CA   •  See  link  Ch  11h   46
  • 47. 802.1X  components   •  Supplicant   –  The  user  accessing  a  WLAN   •  AuthenIcator   –  The  AP   •  AuthenIcaIon  server   –  Checks  an  account  database  to  see  if  user’s  credenIals  are   acceptable   –  May  use  RADIUS  (Remote  Access  Dial-­‐In  User  Service)   47
  • 48. 48
  • 49. Wired  Equivalent  Privacy  (WEP)   •  Part  of  the  802.11b  standard   •  Encrypts  data  on  a  wireless  network   •  WEP  has  many  vulnerabiliIes   •  To  crack  WEP   49
  • 50. Wi-­‐Fi  Protected  Access  (WPA)   •  Specified  in  the  802.11i  standard   •  Replaces  WEP   •  WPA  improves  encrypIon  by  using  Temporal   Key  Integrity  Protocol  (TKIP)   50
  • 51. TKIP  Enhancements   •  Message  Integrity  Check  (MIC)   – Prevent  aacker  from  injecIng  forged  packets     •  Extended  IniIalizaIon  Vector  (IV)  with   sequencing  rules   – Prevent  replays  (aacker  re-­‐sending  copied   packets)   51
  • 52. TKIP  Enhancements   •  Per-­‐packet  key  mixing   – MAC  addresses  are  used  to  create  a  key   – Each  link  uses  a  different  key   •  Rekeying  mechanism   – Provides  fresh  keys   – Prevents  aackers  from  reusing  old  keys   52
  • 53. WPA  Adds  802.1x   •  WPA  also  adds  an  authenIcaIon  mechanism   implemenIng  802.1X  and  EAP   – This  was  not  available  in  WEP   53
  • 54. Understanding  Wardriving   •  Hackers  use  wardriving   – Finding  insecure  access  points   – Using  a  laptop  or  palmtop  computer   •  Wardriving  is  not  illegal   – But  using  the  resources  of  these  networks  is  illegal   •  Warflying   – Variant  where  an  airplane  is  used  instead  of  a  car   54
  • 55. How  It  Works   •  An  aacker  or  security  tester  simply  drives   around  with  the  following  equipment   – Laptop  computer   – Wireless  NIC   – An  antenna   – SoRware  that  scans  the  area  for  SSIDs   •  Not  all  wireless  NICs  are  compaIble  with   scanning  programs   •  Antenna  prices  vary  depending  on  the  quality   55 and  the  range  they  can  cover  
  • 56. How  It  Works  (conInued)   •  Scanning  soRware  can  idenIfy   – The  company’s  SSID   – The  type  of  security  enabled   – The  signal  strength   •  IndicaIng  how  close  the  AP  is  to  the  aacker   56
  • 57. Demo:  VistaStumbler   57
  • 58. NetStumbler   •  Shareware  tool  wrien  for  Windows  that   enables  you  to  detect  WLANs     – Supports  802.11a,  802.11b,  and  802.11g   standards   •  NetStumbler  was  primarily  designed  to   – Verify  your  WLAN  configuraIon   – Detect  other  wireless  networks   – Detect  unauthorized  APs   58
  • 59. NetStumbler   •  NetStumbler  is  capable  of  interface  with  a  GPS   – Enabling  a  security  tester  or  hacker  to  map  out   locaIons  of  all  the  WLANs  the  soRware  detects   59
  • 60. NetStumbler   •  NetStumbler  logs  the  following  informaIon   – SSID   – MAC  address  and  Manufacturer  of  the  AP   – Channel   – Signal  Strength   – EncrypIon   •  Can  detect  APs  within  a  350-­‐foot  radius   – With  a  good  antenna,  they  can  locate  APs  a  couple   of  miles  away   60
  • 61. 61
  • 62. 62
  • 63. Kismet   •  Another  product  for  conducIng  wardriving   aacks   •  Runs  on  Linux,  BSD,  MAC  OS  X,  and  Linux  PDAs   •  Kismet  is  adverIsed  also  as  a  sniffer  and  IDS   – Kismet  can  sniff  802.11b,  802.11a,  and  802.11g   traffic   63
  • 64. Kismet  features   – Ethereal-­‐  and  Tcpdump-­‐compaIble  data  logging   – AirSnort  compaIble   – Network  IP  range  detecIon   64
  • 65. Kismet  features  (conInued)   – Hidden  network  SSID  detecIon   – Graphical  mapping  of  networks   – Client-­‐server  architecture   – Manufacturer  and  model  idenIficaIon  of  APs  and   clients   – DetecIon  of  known  default  access  point   configuraIons   – XML  output   – Supports  20  card  types   65
  • 66. Understanding  Wireless  Hacking   •  Hacking  a  wireless  network  is  not  much   different  from  hacking  a  wired  LAN   •  Techniques  for  hacking  wireless  networks   – Port  scanning   – EnumeraIon   66
  • 67. Tools  of  the  Trade   •  Equipment   – Laptop  computer   – A  wireless  NIC   – An  antenna   – Sniffer  soRware   67
  • 68. AirSnort   •  Created  by  Jeremy  Bruestle  and  Blake  Hegerle   •  It  is  the  tool  most  hackers  wanIng  to  access   WEP-­‐enabled  WLANs  use   •  AirSnort  limitaIons   – Runs  on  either  Linux  or  Windows  (textbook  is   wrong)   – Requires  specific  drivers   – Not  all  wireless  NICs  funcIon  with  AirSnort   •  See  links  Ch  11p,  11q   68
  • 69. WEPCrack   •  Another  open-­‐source  tool  used  to  crack  WEP   encrypIon   – WEPCrack  was  released  about  a  week  before   AirSnort   •  It  also  works  on  *NIX  systems   •  WEPCrack  uses  Perl  scripts  to  carry  out  aacks   on  wireless  systems   – AirSnort  is  considered  beer  (link  Ch  11r)   69
  • 70. Countermeasures  for  Wireless   Aacks   •  AnI-­‐wardriving  soRware  makes  it  more   difficult  for  aackers  to  discover  your  wireless   LAN   – Honeypots   •  Servers  with  fake  data  to  snare  intruders   – Fakeap  and  Black  Alchemy  Fake  AP   •  SoRware  that  makes  fake  Access  Points   70
  • 71. Countermeasures  for  Wireless   Aacks   •  Use  special  paint  to  stop  radio  from  escaping   your  building   •  Allow  only  predetermined  MAC  addresses  and   IP  addresses  to  have  access  to  the  wireless   LAN   •  Use  an  authenIcaIon  server  instead  of  relying   on  a  wireless  device  to  authenIcate  users   71
  • 72. Countermeasures  for  Wireless   Aacks     •  Use  an  EAP  authenIcaIon  protocol   •  If  you  use  WEP,  use  104-­‐bit  encrypIon  rather   than  40-­‐bit  encrypIon   – But  just  use  WPA  instead   •  Assign  staIc  IP  addresses  to  wireless  clients   instead  of  using  DHCP   •  Don’t  broadcast  the  SSID   72
  • 73. Countermeasures  for  Wireless   Aacks     •  Place  the  AP  in  the  demilitarized  zone  (DMZ)   (image  from  wikipedia)   73
  • 74. WRAP  UP   •  Use  these  Ips  to  prevent  unwanted  users     –  Change  default  sejng  on  your  router   •  When  you  install  router  modify  id  and  pwd  to  something  else   rather  than  default   –  Disable  SSID  broadcast   •  Hides  network  from  beginner  intruder.  Ie.  Windows  Wireless  Zero   config  uIlity   •  Will  not  keep  you  safe  from  more  advance  hackers   –  Turn  off  network  when  not  in  use   •  Impossible  to  hack  a  network  that  it  is  not  running   –  MAC  address  filtering   •  AP  grants  access  to  certain  MAC  addresses   •  Not  fully  proof,  but  good  countermeasure   –  EncrypIon   •  Use  of  WPA   •  Use  long  and  random  WPA  keys   74
  • 75. Contact   •  Gtalk/Email  :  ignmantra2@gmail.com   •  Telp  :  -­‐   •  Materi  akan  dishare  :  google.drive   •  Govcsirt.kominfo.go.id   75
  • 76. Email  Contact  :     IGN  Mantra  :  mantra@acad-­‐csirt.or.id,     Incident  Response  :  incident@acad-­‐csirt.or.id,   InformaIons  :  info@acad-­‐csirt.or.id   URL  :  www.acad-­‐csirt.or.id   Facebook  :  facebook.com/acad-­‐csirt   TERIMA  KASIH  -­‐  Q  &  A